tomcat-users mailing list archives

Hello,
I would like to be able to require authentication optionally and make my
servlets or JSPs behave differently depending on which Principals they get.
For example, I'd like a GET to be able to return a 200 status and not
401, even if the user has not been authenticated.
Presumably, this is similar to what happens on web sites that say in a
corner "You're not logged in", but still display some information (e.g.
forums).
I've managed to set up authentication using either HTTP Basic or SSL
client certificates. However, I'm not sure if there are mechanisms to
let the servlet handle the roles and restrictions "manually", for
example using request.getUserPrincipal().
When I use this type of configuration:
<security-constraint>
<web-resource-collection>
<web-resource-name>Test</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
the authentication works, but removing the <auth-constraint /> element
removes any authentication challenge, even if, in this case, a
recognised SSL client certificate is used (whether using
clientAuth="true" or clientAuth="want"). I'd also like the solution not
to rely on
request.getAttribute("javax.servlet.request.X509Certificate"), as I'd
like to be able to keep the abstraction provided by <auth-method />, etc.
Any suggestions? I might have missed something in the documentation.
Best wishes,
Bruno.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org